NorthStar Education Services, a student financial aid and payment company, today announced that it has completed its SOC 2 Type II audit, performed by KirkpatrickPrice. This attestation provides evidence that NorthStar Education Services has a strong commitment to security and to delivering high-quality services to its clients by demonstrating that they have the necessary internal controls and processes in place.

SOC 2 audit provides an independent, third-party validation that a service organization’s information security practices meet industry standards stipulated by the AICPA. During the audit, a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system are tested. The SOC 2 report delivered by KirkpatrickPrice verifies the suitability of the design and operating effectiveness of NorthStar Education Services’s controls to meet the standards for these criteria.

Taige Thornton, President of NorthStar Education Services, said, “All organizations should ask for SOC reporting from their outsourced service vendors. Whether a vendor can provide a SOC report is a serious risk component that companies need to consider during any vendor due diligence analysis.”

“The SOC 2 audit is based on the Trust Services Criteria,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “NorthStar Education Services delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on NorthStar Education Services’s controls.”

About NorthStar Education Services
NorthStar Education Services is an affiliate of Ascendium Education Group. For 50 years, our focus has been to deliver industry leading tools to support educational accessibility and success through student loan repayment, employee benefit/payment assistance, next generation financial wellness and education loan refinancing programs.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over a thousand clients in North America, South America, Asia, Europe, and Australia. The firm has more than a decade of experience in information security by performing assessments, audits, and tests that strengthen information security practices and internal controls. KirkpatrickPrice most commonly performs assessments on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and FERPA frameworks, as well as advanced-level penetration testing. For more information, visit https://kirkpatrickprice.com, follow KirkpatrickPrice on LinkedIn, or subscribe to our YouTube channel.

Independent Audit Verifies AdvicePay’s Internal Controls and Processes

Bozeman, MT – AdvicePay, the leading fee-payment-processing platform designed exclusively for financial advisors, today announced that it has completed its SOC 2 Type II audit, performed
by KirkpatrickPrice. This attestation provides evidence that AdvicePay has a strong commitment to security and to delivering high-quality services to its clients by demonstrating that they have
the necessary internal controls and processes in place.

A SOC 2 audit provides an independent, third-party validation that a service organization’s information security practices meet industry standards stipulated by the AICPA. During the audit,
a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system are tested. The SOC 2 report
delivered by KirkpatrickPrice verifies the suitability of the design and operating effectiveness of AdvicePay’s controls to meet the standards for these criteria.

“We are proud to have completed the SOC 2 Type II examination and audit for the second time. Tens of thousands of clients place their trust in our system to deliver best-in-class solutions and
safeguards to protect and secure their data,” said Alan Moore, CEO & Co-Founder of AdvicePay. “The successful completion of the SOC 2 Type II examination and audit further proves our commitment to providing the most stringent safety measures to deliver enterprise-grade solutions.”

“The SOC 2 audit is based on the Trust Services Criteria,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “AdvicePay delivers trust-based services to their clients, and by communicating
the results of this audit, their clients can be assured of their reliance on AdvicePay’s controls.” 


About AdvicePay

Established by well-known financial advisors Michael Kitces and Alan Moore, AdvicePay is the only billing and payment processing platform created specifically for fee-for-service financial
planning. Financial advisors benefit from efficient invoicing and payment workflows designed exclusively to support their businesses, including up-to-date compliance and data security
management. Users can issue agreements for client e-signature, accept ACH and credit cards, bill hourly or one-time fees, or establish recurring retainer or subscription billing compliantly –
all through the AdvicePay system. To learn more about the AdvicePay platform, visit http://www.AdvicePay.com.


About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over a thousand clients in North America,
South America, Asia, Europe, and Australia. The firm has more than a decade of experience in information security by performing assessments, audits, and tests that strengthen information
security practices and internal controls. KirkpatrickPrice most commonly performs assessments on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and FERPA
frameworks, as well as advanced-level penetration testing. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on LinkedIn, or subscribe to our YouTube
channel.

Businesses have many infrastructure hosting solutions to choose from, from physical servers hosted in owned data centers, to colocated servers in managed data centers, to many different cloud platforms. However, in 2021, Amazon Web Services (AWS) is by far the largest infrastructure hosting platform in the world. 

Businesses choose AWS because it offers a diverse array of cloud services backed by the technical expertise of one of the most valuable companies in the world. AWS lowers infrastructure management costs while providing the reliability, scalability, and availability businesses expect. 

Other cloud providers offer roughly equivalent services, including Microsoft Azure and Google Cloud Platform, but AWS had the first-mover advantage, and its growth has outpaced its competition. 

Cloud security is another reason businesses adopt AWS. In the early days of the cloud, business leaders were skeptical that virtualized infrastructure platforms could offer adequate security and privacy. Today, the days of the cloud security naysayers are long past. No infrastructure platform is guaranteed free of vulnerabilities, but cloud platforms like AWS are trusted by businesses, governments, and even national security services.

This article looks at some of the ways AWS enhances cloud security and makes it easier for businesses to maintain secure and compliant infrastructure hosting. We’ll also explore cloud security limitations and how companies can ensure their cloud infrastructure complies with industry best practices and regulatory standards. 

What is Cloud Security?

Cloud security is the resources, tools, and practices that allow businesses to store data and run code securely in the cloud. Cloud security’s primary concern is to limit data and infrastructure access to authorized users, whether that’s a business’s customers or internal users of the cloud platform. 

If a business fails to secure its cloud infrastructure, it risks exposing sensitive data, having its resources hijacked by bad actors, and subjecting its users to malware and other threats. 

Cloud infrastructure faces many different security threats, including:

    • Human error. The majority of cloud security vulnerabilities are caused by configuration errors and poor understanding of cloud security best practices. 
  • Social engineering. Bad actors use social engineering techniques such as phishing attacks and executive impersonation to gain access to sensitive cloud resources such as authentication credentials. 
  • Endpoint security vulnerabilities. These include software vulnerabilities and poor security practices around the devices end-users use to access cloud resources. 
  • Software vulnerabilities. Attackers target code hosted on cloud platforms. According to the Open Web Application Security Project (OWASP) Top Ten, the most common web application vulnerabilities include broken access controls, cryptographic failures, vulnerable and outdated components, and security logging and monitoring failures. 

Cloud platforms such as AWS provide tools and services to help businesses overcome these risks. However, cloud security is only effective if businesses understand the risks and how to use the resources their platform provides to combat them. 

Let’s explore five ways AWS helps its users maximize cloud security to protect their data and infrastructure assets. 

1. Amazon-Managed Data Centers, Servers, and Networks

Building and maintaining secure IT infrastructure requires knowledge and experience many businesses lack. Infrastructure security is a specialized field, and without a deep understanding of the risks, it’s all too easy to deploy infrastructure that is vulnerable to attack. 

AWS provides a secure baseline for infrastructure deployment. Its employees include some of the most experienced and knowledgeable cloud security professionals in the industry. They work to implement secure data centers, networks, and servers on which users can deploy their code. 

Furthermore, AWS provides high-level PaaS and managed hosting solutions so users don’t have to worry about securing operating systems, library code, services such as web servers, and other aspects of server security. AWS doesn’t guarantee security, but it does provide a secure foundation. 

2. Powerful Access Management Tools

The OWASP Top Ten includes two security risks related to access management: broken access controls and identification and authentication failures. Identity and access management are among the most challenging security and privacy management features to get right. Infrastructure is useless if the right people can’t use it, but opening the door to them often creates vulnerabilities that bad actors can exploit. 

AWS integrates a range of powerful tools for verifying identity and controlling access.  The Identity and Access Management (IAM) service provides tools for managing access to AWS services and resources. It allows businesses to attach fine-grained permissions to users, groups, and roles. It also offers extra security with multi-factor authentication, and it provides federated access for systems such as Microsoft Active Directory. 

IAM is the centerpiece of AWS’s access management, but the platform incorporates several additional access management tools, including AWS Single Sign-On, AWS Resource Access Manager, and Amazon Cognito

3. Vulnerability and Breach Protection

How does a business know when its cloud resources have been compromised? Sometimes it’s obvious: data becomes unavailable, and a ransom demand is delivered—there were over 300 million ransomware attacks in 2020. But businesses would ideally be aware of breaches before the worst happens. 

AWS offers several tools for monitoring cloud resources for potential breaches. Amazon GuardDuty continuously analyzes logs, using machine learning and threat intelligence to identify breaches. Amazon Inspector assesses applications for vulnerabilities. AWS CloudTrail tracks user activity and API usage, helping businesses to identify and mitigate security breaches. 

4. Encryption and Data Protection

Cryptographic failures are in second place on the OWASP Top Ten. Data should be encrypted in transit and at rest, and encryption keys should be managed to limit the risk of exposure. AWS has many data protection tools that help businesses to encrypt their data. 

Data storage services such as Amazon S3 and Amazon EBS can encrypt data transparently. Data is automatically encrypted as it moves between components of an AWS environment. Amazon Macie helps businesses to identify and protect sensitive data. In addition to integrated encryption services, AWS also offers a range of key and certificate management services, including AWS Certificate Manager and AWS Key Management Services

5. AWS Firewalls 

Firewalls allow AWS users to analyze and filter incoming and outgoing network traffic. AWS incorporates a multitude of firewalls, including the stateful Security Groups and stateless Network Access Control Lists. We wrote more about both in Cloud Security: What are AWS Security Groups? 

In addition to network firewalls, AWS also provides more specialized firewall services, such as the AWS Web Application Firewall (WAF), which analyzes web traffic to identify malicious requests. AWS WAF filters attacks before they reach web applications, including SQL injection and cross-site scripting, which appear on the OWASP Top Ten. 

How AWS Audits Improve Cloud Security

We’ve looked at five ways AWS empowers businesses to enhance cloud security, but the existence of these tools and services is no guarantee they are used correctly. Misconfiguration is the most common cause of cloud security breaches and data leaks. 

KirkpatrickPrice is a CPA firm specializing in information security, including cloud security. Our services help businesses to verify their AWS cloud environments are secure and compliant. They include:

  • Remote Cloud Security Assessments, which analyze AWS, Azure, and GCP configurations for misconfigurations and vulnerabilities.
  • Cloud Security Audits, which test your cloud controls against a framework based on the CIS Benchmarks for AWS and other cloud platforms. 
  • Pen Testing Services, which leverage the expertise of skilled penetration testers to verify your network, web application, API, and wireless security. 

To learn more, contact an AWS security auditor today or visit the KirkpatrickPrice AWS Cybersecurity Services, where you’ll find a wealth of actionable information focused on AWS security and our AWS Security Scanner.  

AWS provides dozens of cloud services ranging from storage and compute to machine learning and security services. AWS is by far the biggest cloud platform, and thousands of businesses entrust it with their most sensitive data and critical workloads. Ensuring only authorized users can access these assets is the job of AWS Identity and Access Management (AWS IAM). 

As you might imagine, improper use of AWS IAM can create serious security vulnerabilities. This article introduces AWS IAM and discusses five of the most critical AWS IAM security best practices. 

What is AWS IAM?

AWS IAM is a cloud service for managing access to resources in the AWS cloud. As the name suggests, IAM has two main roles:

  • Identity management — verifying that a user is who they claim to be with authentication mechanisms such as passwords, multi-factor authentication, and federated identity management solutions such as Microsoft Active Directory. 
  • Access management — controlling which resources users can access. Each user has a set of permissions that determine the actions they can take within a business’s AWS account. 

These roles mean that IAM is the gatekeeper for AWS resources. If businesses fail to follow IAM best practices, they risk giving unauthorized users access to their data and infrastructure. 

What Are Users, Groups, and Roles in AWS IAM?

When an AWS account is first created, it has a single user. This is the root user, which has complete access to all resources. As we’ll discuss in the next section, the root user should not be used for day-to-day operations. It should, however, be used to create other IAM identities with varying permissions.

IAM provides three primary types of identity: users, groups, and roles. Each has an associated set of permissions, but they serve different purposes. 

  • Users — users represent people, and they are used to give individuals the ability to log in and manage AWS resources. Users are granted permissions, either by attaching a permissions policy or by adding them to a group. IAM users can also generate access keys, which can be used for programmatic access to AWS APIs. 
  • Groups — a group is a collection of users. Groups also have configurable permissions, which all members inherit. Groups make it easy to grant permissions to a class of users. For example, a business might create a DevOps group with permissions to manage EC2 instances. 
  • Roles — roles have many of the same properties as users. However, roles are not linked to a single individual, and they do not have log-in credentials. Instead, roles are temporarily assumed by users who need a specific set of permissions to complete a task. 

5 Steps to Secure Your AWS IAM Account

1. Create IAM Users with Appropriate Permissions 

We recommend using the root account to create users, groups, and roles with suitable permissions. Once that’s done, use those identities to manage day-to-day operations. To further improve IAM security, activate multi-factor authentication on user accounts. With MFA turned on, user accounts are safe even if their password is exposed.  

2. Enforce AWS Least-Privilege Permissions

Create permissions policies that provide the lowest possible access.  IAM identities cannot control resources unless they are given permission.  Determine the minimum set of permissions to grant when creating users, groups, and roles. You can always add more later if they’re needed. 

It may be tempting to give users broad permissions in case they need to carry out a particular task. But it is more secure to be restrictive at first, only granting additional privileges when a user finds they are required. 

As your business and its AWS environment evolve, the permissions needed by IAM identities will change. Perhaps a user needed broad permissions to manage resources at one time, but no longer. In that case, their permissions should be restricted and unnecessary access removed. For the same reason, ensure that unused users, roles, and groups are deleted. 

You may also want to use IAM Access Analyzer to refine permissions policies. IAM Analyzer helps businesses to maintain least-privilege access by generating permissions policies based on access activities.  IAM Access Analyzer also provides last-accessed and last-used timestamps that can help you to identify unneeded permissions and unused identities.  

3. Secure the AWS IAM Root Account

As we mentioned above, the root account has universal permissions. It can access and control all resources owned by an AWS account. With its access keys, developers can control those resources via AWS APIs. The root account is uniquely useful, but it is also uniquely dangerous. Attackers may gain complete control of your AWS account if its credentials or access keys are exposed.

Therefore, the AWS root account and its access keys should not be used to manage AWS resources. If your business is already using the root account in day-to-day operations, consider creating new users accounts with limited permissions. Use these instead of the root account. Change the root account’s password and delete its access keys. Use Amazon CloudTrail and CloudWatch to monitor API calls to ensure that you haven’t missed any use of the root account. 

4. Ensure Account Information Is Accurate

AWS may send you security notifications, and it’s imperative they go to the correct email addresses. It’s not unusual for businesses to create AWS accounts with email addresses that aren’t monitored. We recommend designating one or several individuals responsible for checking and responding to notifications. Ensure that their contact details are correctly recorded in AWS and that they regularly check the email inboxes for notifications. 

In addition to the primary email address associated with an account, AWS provides alternate contacts for billing, operations, and security notifications. Businesses can use these addresses to ensure notifications are sent to the right people. 

5. Use AWS Security Hub, Amazon GuardDuty, and other AWS Security Tools

AWS provides several services to help businesses to monitor and improve security. Perhaps the most important is the AWS Security Hub. The Security Hub centralizes alerts from several other services, allowing companies to access high-priority security alerts quickly. 

The services that send alerts to AWS Security Hub include:

  • Amazon GuardDuty, a threat detection service that monitors AWS accounts for malicious activity. 
  • Amazon Inspector, an automated security assessment service. 
  • AWS Firewall Manager, a centralized firewall management service.
  • Amazon Macie, a data security and privacy service that uses machine learning to help businesses to identify and protect sensitive information. 

KirkpatrickPrice’s AWS Cybersecurity Services provide AWS audits and a wealth of actionable information to help businesses identify AWS security and compliance threats and protect their infrastructure and data. Contact a cloud information security specialist today for assistance with your AWS security and compliance challenges. 

AWS Vulnerabilities

Amazon Web Services (AWS) dominates the enterprise cloud landscape. Around two-thirds of business cloud users host infrastructure on AWS.  That includes many of the biggest companies in the world and small and medium businesses in the tens of thousands. AWS’s popularity makes it a tempting target for cybercriminals: AWS vulnerabilities could let them steal data from thousands of businesses.

Amazon regularly finds and fixes vulnerabilities in the platform’s code and networks. However, many common AWS vulnerabilities originate with users.  AWS provides tools to help cloud users secure their data and infrastructure, but it is a complex cloud platform. Inexperienced users often misconfigure cloud resources, creating security vulnerabilities. 

This article will help you understand frequently exploited AWS vulnerabilities and how to guard against them. 

AWS Root Account Credential Leaks

The AWS root account controls every aspect of your AWS environment. The root account can add new users, modify user permissions,  create and destroy cloud resources, and access all of your data.  It’s important to have a root account. Without it, you would not be able to set up your AWS environment in the first place. But if it leaks, that environment has no protection. 

You should share the root account’s credentials only with trusted senior employees who need root access. It should not be widely shared within your organization, and it should not be used during the day-to-day operation of your AWS environment. Use the root account to set up IAM users with appropriate permissions, then rely on the new user accounts going forward. To further improve AWS security, activate two-factor authentication on the root account and disable the account’s API access key. 

Exposed AWS Access Keys

AWS access keys are credentials used for programmatic access to AWS APIs. Your code can use access keys to carry out tasks that the associated user has permission to perform. For example, your app might use access keys to deploy EC2 instances or store data in an S3 bucket. 

Misused access keys can create an AWS vulnerability. They are often embedded in code, which is then uploaded to a version control system like GitHub. Bad actors frequently target businesses that upload access keys to public repositories. But it is also dangerous to store keys in private repositories. Just like usernames and passwords, access keys should not be shared widely within your organization. If you put them in a private repository, anyone with access to the repository can see the keys. 

We explored how businesses can better protect their AWS access keys in How to Keep AWS Access Keys and Other Secrets Safe.

Sensitive Resources on Public Subnets

Amazon Virtual Private Cloud (VPC) allows businesses to create virtual network environments. VPC gives AWS users control over their network, including network security, routing, resource deployment, and subnets. 

Subnets are one of VPC’s biggest security and availability advantages. Businesses can create logically isolated subnets with traffic screening and access restrictions. For example, they can deploy public subnets connected to an internet gateway and private subnets that are not accessible from the internet. Private subnets can only be accessed by internal resources, making them an excellent option for database servers and other resources that should be hidden from the internet.

When you first provision a VPC, it contains a default public subnet. Unfortunately, many users do not change the original configuration. They deploy servers and databases to the default subnet, exposing them to the internet and creating a dangerous security vulnerability. 

Overly Broad IAM Permissions

AWS Identity and Access Management (IAM) allows businesses to specify user access permissions, groups, and roles. IAM permissions limit the actions these entities can take and the resources they can access.  Permissions should be limited to provide only the access an entity needs. 

Businesses often fail to set permissions correctly, configuring overly broad permissions or failing to re-assess permissions over time. If credentials leak, an attacker gains more access than they otherwise would have. But even if the credentials don’t leak, internal users may access sensitive resources and cause security and availability issues. 

Public Access to Origin Databases

Origin databases should be hidden from the internet. These databases support your apps and services. They may need to be accessible to web servers and other public-facing resources. But there is rarely a good reason to expose their IP address to external connections. 

An exposed origin database IP allows attackers to exploit other vulnerabilities. For example, an attacker could connect and exfiltrate data if the database’s access permissions are not correctly configured. This type of vulnerability has been the root cause of numerous data leaks.

Permissive Security Groups Rules

Security groups are AWS’s virtual firewall. They allow businesses to restrict traffic to and from AWS resources. The user creates a security group and configures inbound and outbound traffic rules. They can then assign the security group to other resources, such as EC2 instances. Security groups are highly flexible, empowering users to create custom firewalls for different scenarios. 

All AWS accounts have a default security group. The default group has permissive rules: it allows inbound traffic on all ports from network interfaces and instances within the same security group. It also allows all outbound traffic. The default group is automatically used for new resources when a custom group is not specified. 

If you don’t adjust the default security group’s rules or create and assign custom groups, instances and other resources are deployed with broad permissions. Many businesses fail to do so. Consequently, instances are often deployed with vulnerable ports that are accessible from the internet. 

We covered AWS security in greater detail in 10 Top Tips For Better AWS Security Today?

Server-Side Request Forgery

In 2019, the Capital One credit card company leaked customer details from 100 million accounts exposing AWS vulnerabilities. The attack was later found to have exploited Server-Side Request Forgery (SSRF). SSRF turns a business’s cloud infrastructure against it.  

Imagine a business that stores sensitive information in a database. The database is hosted on a cloud server without an external IP. The attacker can’t connect to it directly. But they may be able to connect to an internet-facing server with permission to access the database. In an SSRF attack, the attacker exploits a vulnerability in the internet-facing server and uses the server to send hostile requests to the target database. 

For that to work, a resource on an external IP must be improperly configured. In the Capital One case, the attackers exploited overly broad Web Application Firewall (WAF) rules—similar to the situation described in the previous section. However, many different configuration errors might open the door to an SSRF attack. 

Misconfigured S3 Storage Buckets 

We have left one of the most common AWS vulnerabilities until last. AWS S3 is a popular block storage service used by thousands of businesses. S3 stores data in buckets with flexible access permissions. Misconfiguring those permissions may allow malicious third parties to access sensitive data.

A huge number of businesses have been caught out in this way. They deliberately or unintentionally configure S3 buckets for public access. Bad actors scan for misconfigured buckets and exfiltrate the data. Victims of this AWS vulnerability include Twilio, BHIM, Attunity, and dozens more. 

How KirkpatrickPrice Helps

KirkpatrickPrice is a licensed CPA firm specializing in information security. We provide services to help clients secure their cloud infrastructure and comply with information security and privacy regulations, including:

Contact us today to begin your journey to improved AWS security.